A pro-Palestinian cyber espionage group focused on compromising government targets in the Middle East has improved its attack tools with a sophisticated initial access downloader — all the while largely ignoring the conflict unfolding in Israel and the Palestinian territories.
TA402 (aka Molerats and Frankenstein), which has been active for more than a decade, rolled out a new sophisticated tool named IronWind, which it used in three campaigns aimed at compromising systems within government agencies throughout the Middle East and Northern Africa, security firm Proofpoint stated in an analysis published on Nov. 14.
The group has moved away from off-the-shelf tools to more custom code targeting a limited subset of government organizations, the firm stated.
While threat actors from the “Big Four” countries — Russia, China, Iran, and North Korea — are seen as the most active and capable, Molerats shows that smaller groups can have sophisticated tools and operational security, says Josh Miller, a senior threat researcher with Proofpoint.
“Seeing all this sophistication from an adversary outside of the Big Four, I think, is somewhat unusual,” he says. “So, to see a relatively sophisticated piece of malware and overall kill chain — especially one so highly geofenced to Arabic speakers — that’s noteworthy.”
Molerats Retools With IronWind
The Molerats group is one of the few that appears to be located in, or in the same region, as the Palestinian territories. The most recent cyberattack campaign by Molerats uses economic-themed phishing attacks in Arabic as a lure targeting regional governments, Proofpoint stated in its analysis. The link in the email leads to a malicious Microsoft PowerPoint add-in file, which, when executed, downloads a third stage of the attack, a shellcode loader, which leads to the final stage, a .NET backdoor.
Over the past few months, the group has modified the attack chain to use different lures and different malicious second-stage files, focusing on Excel files in August and RAR archive files in October. The group also uses geofencing to limit the scope of the attacks, redirecting parts of the attack chain to benign documents on legitimate servers to avoid detection.
For the most part, the group has continued its espionage business-as-usual, despite the deadly conflict in the region, says Proofpoint’s Miller.
“There have been some commentators that have said, now that Israel has started their offensive, that Molerats and Palestinian cyber operators are going to be taken off the board, but that’s not what we’ve seen,” Miller says. “They are continuing to target the same sort of customers, and they’re not necessarily shifting their targeting or changing their tactics from before the conflict.”
An Evolving Group
Crowdstrike tracks the group Extreme Jackal, which is similar in tactics to Molerats, and Adam Meyers, senior vice president of counter-adversary operations for CrowdStrike, highlighted the Hamas-linked group’s evolution from using cybercriminal tools to creating its own.
“Historically, Extreme Jackal employed a range of commercially available tools to achieve its likely intelligence collection operations,” Meyers says. “As of today, however, the adversary has demonstrated a shift toward the exclusive use of custom malware.”
While Proofpoint does not agree that the two designations describe the same group, the company does come to the same conclusion.
“TA402 remains a persistent and innovative threat actor that routinely retools its attack methods and malware in support of its cyber espionage mandate,” the Proofpoint analysis concluded, which added a warning: “While TA402 is an intelligence collection focused threat actor with a specific interest in Middle Eastern and North African government entities, the group could find itself under direction to adjust its targeting or social engineering lure in reaction to the ongoing Israel-Hamas conflict.”